web services security requirements
Download
Skip this Video
Download Presentation
Web Services Security Requirements

Loading in 2 Seconds...

play fullscreen
1 / 20

Web Services Security Requirements - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

Web Services Security Requirements . Stephen T. Whitlock Security Architect Boeing. Outline. Disclaimer Requirements are from a user perspective to cover the use of web services in our environment Some of these requirements are met by existing technologies Requirements

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web Services Security Requirements' - calvine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web services security requirements

Web Services Security Requirements

Stephen T. Whitlock

Security Architect

Boeing

outline
Outline
  • Disclaimer
    • Requirements are from a user perspective to cover the use of web services in our environment
    • Some of these requirements are met by existing technologies
  • Requirements
    • WS data/transaction/orchestration
    • Infrastructure
    • General
  • Examples
ws transaction orchestration protection requirements
WS Transaction/Orchestration Protection Requirements
  • Data protection
    • Integrity
    • Confidentiality
    • Privacy support
  • Attack resistant to
    • Replay attacks
    • Person in the middle attacks
    • Orchestration hijacking
  • Evidence to support non-repudiation
    • Signature
    • Timestamp
    • Audit trail
infrastructure protection requirements
Infrastructure Protection Requirements
  • Transport
    • Integrity
    • Confidentiality
  • Authentication
    • Multiple mechanisms – certificates, shared secrets, Kerberos/AD
    • Application authentication
    • User authentication
  • Access control
    • Multiple mechanisms – RBAC, directory based
    • Credential propagation
    • Credential caching
    • Transaction level granularity – resource or application access authorized separately from individual transaction authorization
more infrastructure protection requirements
More Infrastructure Protection Requirements
  • Resource protection
    • Server and network isolation
    • Server resource control
    • Network bandwidth control
  • Centralized
    • Policy administration
    • Provisioning
    • Access control
    • Auditing
    • Monitoring
general requirements
General Requirements
  • User transparent (AMAP)
  • Standards based
    • Vendor neutral
    • Interoperable – no proprietary value-added extensions
    • IPR Free
  • Compatible with existing security technology
    • VPNs – IPSec, TLS
    • PKI
    • LDAP
  • Performance
    • Support for real time applications
    • Reliable
    • Redundancy
  • Extensible
  • Development environment that enables and promotes the creation of secure web services
future requirements
Future Requirements
  • Secure context passing between different web services
  • Pass a security context through an integration broker including support for:
    • End to end access
    • The ability to switch between environments such as J2EE and .NET
example 1 web single sign on wsso based end to end security
Example 1: Web Single Sign On (WSSO) based end to end security
  • WSSO accepts user credentials
    • Account, password, X.509 certificate
    • Front end to multiple applications
  • Using the same approach to provide web service to web service application security
wsso desired service
WSSO – Desired Service

Requesting web service

Request

1. Client request

2. Application request

3. Service response

2

Service 1

3

wsso needed security

Service 1

WSSO – Needed Security

Requesting web service

Application authentication

Request

User authentication

Enterprise protection

Confidentiality

Message integrity

Audit trail

Signature

2

2

Service protection

Access control

wsso existing security

Service 1

WSSO – Existing Security

Authentication Service

Requesting web service

Request

5. Check for revocation

1. Client logon

2. Client request

7. Credential cache

3. Application certificate

Validation Service

8. Application request

9. Service response

SSL/TLS

4. Authentication Request

2

2

Perimeter to protect application

Directory

6. Directory attribute check

example 2 engineering drawing application eda
Example 2: Engineering Drawing Application (EDA)
  • Supports engineering drawings and parts lists
  • Total database size = 1.5TB, About 15M documents, Average document size = 100KB
  • Query to retrieval time < 2 seconds
  • Supports 1500 concurrent users, average of 1000 TPM, peak of 2000 TPM
  • Currently undergoing an expansion and conversion to web services
eda architecture

HTTP Server

Web Server

EJB Container

EDA Architecture

Internet

L

o

a

d

B

a

l

For SOAP objects

For web pages

User

Other systems

and data

New

Datastore

SOAP Messages

User

Datastore

Manager

Legacy

Datastore

Intranet

eda needed security

HTTP Server

Web Server

EJB Container

EDA Needed Security

Confidentiality

Message integrity

Audit trail

Signature

Enterprise protection

Confidentiality

Internet

L

o

a

d

B

a

l

User

User authentication

New

Datastore

Other systems

and data

User authentication

User

Datastore

Manager

Legacy

Datastore

Service resource protection

Access control

Intranet

Application authentication

eda existing security

HTTP Server

Web Server

EJB Container

EDA Existing Security

Internet

F

i

r

e

w

a

l

l

R

e

v

P

r

o

x

y

L

o

a

d

B

a

l

Directory based

Authentication

And access

Control Service

User

New

Datastore

Other systems

and data

User

Datastore

Manager

Legacy

Datastore

Intranet

centralized parts inventory cpi
Centralized Parts Inventory (CPI)
  • Descriptions of parts
  • Current parts stock level information
  • Originally a collection of disparate web sites linked to different databases
  • In the process of being converted to a centralized service that provides a common look and feel and navigation services
cpi architecture

Navigation Services

Object

Database

Access Rules

Database

Parts Descriptions

Descriptions Access Rules

Parts Inventory Status

Inventory Access Rules

Descr.

Obj 1

Descr.

Obj 2

Descr.

Obj n

Inv.

Obj 1

Inv.

Obj 2

Inv.

Obj n

CPI Architecture

Common Look

And Feel

Services

cpi needed security

Navigation Services

Object

Database

Access Rules

Database

Parts Descriptions

Descriptions Access Rules

Parts Inventory Status

Inventory Access Rules

Descr.

Obj 1

Descr.

Obj 2

Descr.

Obj n

Inv.

Obj 1

Inv.

Obj 2

Inv.

Obj n

CPI Needed Security

Enterprise protection User authentication User Authorization

Confidentiality

Message integrity

Audit trail

Signature Application access control

Common Look

And Feel

Services

cpi existing security

Navigation Services

Object

Database

Access Rules

Database

Parts Descriptions

Descriptions Access Rules

Parts Inventory Status

Inventory Access Rules

Descr.

Obj 1

Descr.

Obj 2

Descr.

Obj n

Inv.

Obj 1

Inv.

Obj 2

Inv.

Obj n

CPI Existing Security

Directory and

Certificate based

Authentication

And access

Control Service

Perimeter Services

Common Look

And Feel

Services

conclusions
Conclusions
  • We need data protection for web services messages
    • SSL/TLS is insufficient because it only provides integrity at the packet level, not at the XML message level
  • We need interoperable, multivendor solutions
  • Security solutions need to integrate with existing security technologies
  • Security solutions must work between enterprises as well as within them
ad